Cloud-to-Internet Communications: Six Key Challenges

Cloud workloads need access to the internet for a variety of reasons, and opening that access introduces risk. While your workloads (hopefully) don’t have web browsers installed from which users are browsing suspicious websites, legitimate access might mean API connectivity to a third-party service, software update services, and more. While enabling this access, it is critical that you protect these outbound communications to prohibit bad actors from getting a foothold into your network. 

Unfortunately, secure workload access to the internet has historically been way more complicated and costly than it should be. Let’s use AWS as an example for this post, though most concepts are similar for the major cloud providers.
 

Six challenges with workload-to-internet communications

1. Most organizations will have a number of VPCs in which they host applications and other services. Within each VPC, vNGFWs are likely to be used to control east-west traffic flows within and across VPCs. 
    
2. To secure internet access for those workloads, you will typically build outbound VPCs in which to layer virtual security appliances. This may include virtual firewalls, DLP services, threat protection VMs, and more. Each of these services has a licensing fee, another vendor to deal with, and requires expertise to manage and operate properly. 
    
3. These services must be chained together, introducing latency and operational complexity. With service chaining, the performance of the entire system will be dictated by the slowest performing link in the chain. Because these systems always have scale limitations and are statically sized, you are faced with the choice of either dramatically over-provisioning to account for traffic bursts or risk a slow user experience or denial-of-service when unexpected traffic spikes do happen.
    
4. Connecting the VPCs hosting your applications to your outbound security VPC(s) also requires the use of a Transit Gateway. The Transit Gateway acts like a cloud router and is a paid service with both a time and data-transfer cost component. Every VPC, including any security VPCs, must be manually attached, or peered, with the Transit Gateway.
    
5. At this point, you’ll probably also create a management VPC, within which you will run firewall management and orchestration software to centrally manage the growing inventory of security services. 

So, even after the first five challenges, you end up with:

• High cost
• Poor scalability
• Questionable availability
• High overhead, error-prone management
• Poor visibility across many hops, making it difficult to troubleshoot

Figure 1: Legacy security raises risk and complexity

1. And, all of this complexity is to deploy into a single availability zone (AZ). Unfortunately, the process needs to be repeated for every AZ in your cloud footprint.

Figure 2: For multi-cloud, complexity grows multi-fold

Secure, simple workload-to-internet access

Fortunately, there is a better path forward with Zscaler Workload Communications (ZWC). ZWC drastically simplifies internet security for cloud workloads by providing automated, flexible, and direct connectivity through the Zscaler Zero Trust Exchange. Powered by Zscaler Internet Access (ZIA) and Cloud Connector, the solution provides deep visibility and full control of outbound traffic from any cloud.

ZWC provides a lightweight, fully automated deployment infrastructure that is operational in seconds. From there, simple business-level policies steer traffic to the Zscaler cloud via unified management. All internet access is protected by the scalable, secure ZIA service that is already protecting thousands of enterprises and millions of users globally. 

The benefits are clear, delivering:

• Simplified connectivity by eliminating backhauling and eliminating all peering, route distribution, and service chaining.
• Scalability via the power of the industry’s largest security cloud. Cloud Connector, which is deployed in your VPCs, is built on a DTLS architecture, delivering 4x-5x times better performance compared to IPSec.
• Visibility with full logging and a single, integrated platform that simplifies operations and troubleshooting.

Figure 3: Zscaler Workload Communications: Secure, simple connectivity

To deliver cloud security at scale, you cannot replicate an on-premises approach in the cloud. Zscaler Workload Communications provides security, simplicity, and high performance for workload-to-internet access. If the challenges highlighted in this post sound familiar to you, learn more about the full suite of Zscaler Cloud Protection services or contact us today.